[ previous ] [ next ] [ threads ]
 
 From:  =?ISO-8859-1?Q?Yannick_Br=E9hon?= <y dot brehon at qiplay dot com>
 To:  Marcel Wiget <mwiget at gmail dot com>, cbuechler at gmail dot com, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall not respecting rules ?!?
 Date:  Wed, 23 Jul 2008 17:14:01 +0200
Hi again and thanks to sai, Marcel Wiget and Chris Buechler for their
suggestions... Sadly I am still stuck!

I tried using the following rule:
Interface  	Source  	Destination  	Target
WAN 	192.168.128.0/17 	! 192.168.2.0/24 	* 	

this enables Internet, but not the WAN/LAN communication

I also tried this rule instead:
WAN 	192.168.0.0/16 	! 192.168.0.0/16 	* 	
and also:
WAN 	192.168.0.0/16 	* 	* 	
without any more success :( The response packets are still being filtered!!!
I am using 1.3b13 by the way, but 1.3b04 was having the same symptoms...

Yannick


> well, the trick is to create the NAT rules in a way that they catch
> all traffic except the ones from your box to your LAN network
> 192.168.128.0/17.
> If box is the only host in question here, add a NAT rule that matches
> your LAN as the source and _not_ your box's IP address.
> 
> Marcel
> 

>> Well, as soon as I activate NAT service as you suggested, connectivity
>> disappears. I tried activating NAT for destination "!192.168.0.0/16" but
>> then my Internet disappears... This is *really* weird :(
>> I seem to have to choose: Internet or local connectivity ...
>>

>>> to get NAT service, you need to add now static outbound NAT rules on
>>> the WAN interface so that traffic with source address from your LAN is
>>> properly NAT'd while traffic from your box to the LAN isn't.
>>>
>>> I use a setup with 3 interfaces: WAN, DMZ and LAN and have it set up
>>> so that LAN traffic gets NAT'd thru WAN but not between LAN <-> DMZ.
>>> In this case my static Outbound NAT rule is
>>>
>>> interface: WAN
>>> Source: 192.168.1.0/24 (my LAN subnet)
>>> Destination: *
>>> Target: *
>>>
>>> hope this helps
>>>

>>>> OK, we are starting to get some motion...
>>>> I did what you suggested, and as far as allowing cross communiication
>>>> between LAN and WLAN, it worked! But of course now the problem is that I
>>>> can't get on the Internet any more from behind the m0n0... (the entire
>>>> problem comes from my DSL modem which is not a full-fledged router and
>>>> cannot be given static routes, thus the need for m0n0 NATting when going
>>>> outbound).
>>>> Any further suggestions so as to get the same outcome *without* turning
>>>> off NAT? In particular, I don't understand why incoming connections are
>>>> let through, create a firewall state, but return packets are filtered
>>>> (despite "all-pass" rules) ?!
>>>>


>>>>>
>>>>>> OK here it is! Thanks to everyone who might help with this issue!
>>>>> Since it seems that you don't want NAT between LAN and WAN, you need to
>>>>> check the "Enable advanced outbound NAT" option and not define any
>>>>> outbound NAT rules (and remove the existing inbound NAT rules as well).
>>>>> That will effectively cause m0n0wall to become a plain (firewalling)
>>>>> router, with no NAT at all.
>>>>>
>>>>> - Manuel
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>
> 
>